U.S. Government networks thoroughly penetrated

I saw this in my webserver logs today, from the U.S. Nuclear Regulatory Agency. Clearly it’s a botnet bot.

148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /wp-content/themes/mtdotnet
/images/kubrickfooter.jpg HTTP/1.1” 200 2443 “http://www.markturner.net/2009/10/01/michael-jordans-net-worth/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/10/02/oculan-in-the-news/feed/ HTTP/1.1” 200 797 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/10/02/u2-yesterday-and-today/ HTTP/1.1” 200 6617 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/09/30/juggling-breakthrough/feed/ HTTP/1.1” 200 2083 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/09/30/netflixs-plan-to-take-over-the-world/ HTTP/1.1” 200 6419 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:45 -0400] “GET /2009/10/02/u2-yesterday-and-today/feed/ HTTP/1.1” 200 1375 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:45 -0400] “GET /2003/07/27/action-packed-weekend/feed/ HTTP/1.1” 200 1260 “-” “Mozilla/4.0 (compatible;)”

Continue reading →

Botnet

It’s definitely a botnet I’m seeing. Since it has a common HTTP_USER_AGENT I have banned that agent. If you’re a human and you’re still using IE6, you’re out of luck, dude.

Unknown bot detected

This morning I was looking through the webserver logs for MT.Net when I noticed the following three successive hits from yesterday:

91.120.21.161 – – [24/Sep/2009:07:34:15 -0400] “GET /category/Checking%20In/ HTTP/1.1” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
24.77.243.153 – – [24/Sep/2009:07:34:17 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.43.232.165 – – [24/Sep/2009:07:34:22 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Highly suspicious, right? Three different IPs hit the same obscure link at the same time, all with identical browser strings?

Then there were these hits from this morning:

77.94.32.33 – – [25/Sep/2009:06:42:14 -0400] “GET /2009/09/22/ HTTP/1.0” 200 15894 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:27 -0400] “GET /2009/09/23/ HTTP/1.0” 200 17625 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:34 -0400] “GET /wp-login.php?action=register HTTP/1.0” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
190.175.0.151 – – [25/Sep/2009:06:43:09 -0400] “GET /wp-login.php?action=register HTTP/1.1” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Continue reading →

Unknown warranty call

I got this car warranty call yesterday from a unknown Caller ID. My efforts to reach a live human being were unsuccessful as I got disconnected when I pressed “0.”

Here’s a recording of the call in case others were interested to hear what these calls sound like. When I get time I’ll add the others I collect.

Spam bot figures out SABRE math test

It was bound to happen eventually. This morning a spam bot figured out the math test check that my SABRE plugin was using to filter human website visitors from spam bots. This happened on one of my less-frequented blogs, which actually helped me discover it as that particular blog doesn’t get many registrations.

Looks like now I’ll have to graduate my blog universe to the full-blown CAPTCHA tests if I want to keep the Russian spammers from crashing the MT.Net party.

Turning the tables on hackers

Every dark cloud has a silver lining, and the recent hacker attacks on MT.Net are no exception. Once I had safely reassembled the website and taken measures against active attacks, I realized what risk hackers run when they attempt remote code execution attacks like the one they ran on my site: they expose the location of their hacker code!

After repelling a couple of attacks per day, I got wise and began to contact the owners of the websites used to attack my site, politely letting them know their servers had been compromised. After doing this for five or so websites, the hacker attacks against my site all but dried up! Perhaps I hit a nerve?

It’s still usually not worth the trouble to track hackers back to their original IP addresses (or at least, not worth the trouble for anyone lacking search warrant power), but taking away a few of a hacker’s precious hideouts sends a message that messing with me comes at a cost.

Blogging and hackers

I found the Stop Forum Spam site this morning when watching l0ser bots try to register accounts on MT.Net. A Google search on an email address used by an obvious bot brought me to the site. There’s an API for automated rejection of these fake user accounts which I’m thinking of using to head off many of the hacker attacks I’ve seen. I’m thinking blocking attacks at the Apache level would be ideal.

On another note, it looks like my WordPress hack post has become very popular with both hackers and webmasters alike. Hackers frequently use its url for attempt cross-site scripting attacks against my machine, while webmasters point to it as one of the first public announcements of a critical WordPress vulnerability. Kudos again to MT.Net reader Scootdawg for being the first to see my blog wasn’t working!

On yet another note, I’m thinking of writing a screenplay where a lowly blogger disses the reclusive dictator of a backwards Asian country and becomes an unwilling “guest” of the dictator for a bizarre weekend.

The legend of Michael Jordan

A story ran in today’s N&O about basketball legend Michael Jordan. The story aimed in part to debunk the widely-held belief that Michael Jordan was cut from the varsity basketball team at Laney High School in his hometown of Wilmington.

After reading this morning’s story I went to check Jordan’s Wikipedia entry. Sure enough, Wikipedia stated that Jordan was cut from the team:

He tried out for the varsity basketball team during his sophomore year, but at 5’11” (1.80 m), he was deemed too short to play at that level and was cut from the team. His taller friend, Harvest Leroy Smith, was the only sophomore to make the team.

(Note: it has since been updated in a way I can agree with.)
Continue reading →

MV Arctic Sea

Remember the Russian cargo ship MV Arctic Sea that allegedly disappeared after being hijacked? Experts familiar with piracy say the ship’s ordeal was anything but a typical piracy, as the ship officially carried a load of timber worth a mere $1.8 million. It was also allegedly hijacked in a busy European shipping lane where piracy is extremely rare.

A Russian journalist who was among the first to discount the official story has been told in a mysterious phone call to flee the country or be arrested: advice which he successfully took. This fuels further speculation that the MV Arctic Sea was carrying more than the load of timber that was officially reported.

Some think the ship was carrying unsanctioned cruise missiles and anti-aircraft units bound for Iran. Other speculation suggests that the Israeli Mossad or top officials in Russia found out about the smuggling operation and initiated the “hijacking” to intercept the shipment. The alleged arms shipment, some say, may have been put together by high Russian officials acting outside of the law, a “weapons mafia” as one Russian general termed it.

What is clear is that many media reports about the ship’s disappearance were deliberate falsehoods designed to disguise the real activity surrounding the ship. I suppose it will be a long time, if ever, that the public learns the truth about this mysterious incident.

Cardholder services: 916-219-8193

Got a call on my pay-per-use mobile phone from number 916-219-8193, claiming to be from “cardholder services” and saying I was eligible for a program to lower my interest rate.

The scamming scumbags are back in full effect.